Copyright © 2005
Server and workstation machines that are running Samba
often have multiple network interfaces. Sometimes it may not be
prudent to allow Samba to be accessed over all network
interfaces. This article describes the
smb.conf parameters used to restrict Samba
to only use particular network interfaces, and how to test this
is actually working using some Unix command line tools.
Let's assume that we have a server with two network
interfaces. Say that one interface,
connects to the company network
eth1 connects to
192.168.1.0/24, a small private network
within the company. For one reason or another, we want shares
exported by Samba to be available on the private network
eth1, but not visible to the rest of the
eth0. The machine in
question is may be a firewall, gateway or plays some other
sensitive role. In other configurations, you might want to avoid
SMB connections over your PPP or wireless connection, for
smb.conf parameters here
are both global parameters. They are
only. From the manual page for
smb.conf, we find the following
This option allows you to override the default network interfaces list that Samba will use for browsing, name registration and other NBT traffic. By default Samba will query the kernel for the list of all active interfaces and use any interfaces except
127.0.0.1that are broadcast capable.
This global parameter allows the Samba admin to limit what interfaces on a machine will serve SMB requests. It affects file service
smbd(8)and name service
nmbd(8)in a slightly different ways.
(The two parameters kind of overlap a bit, I think. I don't
see why it should be necessary to specify
interfaces only if you have already specified something
interfaces parameter. One implies
Anyway, if you read the rest of the documentation for these parameters you will discover the gory details about the operation of these two parameters. Some of these details are important, and we'll touch on them later on.
OK let's set some appropriate values for
only to the
smb.conf for our server
[global] interfaces = eth1 lo bind interfaces only = yes
Don't forget to restart Samba after making these changes.
SIGHUP isn't sufficient in this case.
Now since preventing access on particular network interfaces
may be a security sensitive configuration, it might be a good idea
to test that the configuration changes we have made have had some
effect and are working as expected. From the
smb.conf documentation, we know that the
bind interfaces only parameter causes smbd to
restrict which network a TCP port 139 or port 445 connection comes
in on, and nmbd to ignore name registration and query requests
originating on unspecified interfaces.
Let's start with TCP connections to
smbd. Under Unix, it's quite easy to check on
which network address a process is listening on by using the
netstat command. Here's the relevant output of
netstat for our example system:
# netstat -tapn | grep smbd tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 24040/smbd tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 24040/smbd
Note: if you are running Samba 2.2 you won't see an entry for port 445. It's supported in Samba 3.0 and higher only.
After making the required changes to
smb.conf we rerun the
netstat command and get some slightly different output:
# netstat -tapn | grep smbd tcp 0 0 192.168.1.1:139 0.0.0.0:* LISTEN 26182/smbd tcp 0 0 127.0.0.1:139 0.0.0.0:* LISTEN 26182/smbd tcp 0 0 192.168.1.1:445 0.0.0.0:* LISTEN 26182/smbd tcp 0 0 127.0.0.1:445 0.0.0.0:* LISTEN 26182/smbd
Notice that there is no entry for the "all interfaces"
0.0.0.0, but rather a specific line
for each entry in the
This tells us that Samba is only listening on the interfaces we
have told it to, and not every one.
If you're still not convinced, you can use
telnet or any
program that can make a TCP connection to port 139 or 445 (let's
assume that our server has an IP address of
$ smbclient -L //10.1.1.1 -U% Error connecting to 10.1.1.1 (Connection refused) Connection to 10.1.1.1 failed $ smbclient -L //192.168.1.1 -U% Domain=[EXAMPLE] OS=[Unix] Server=[Samba 3.0.20b-Debian] Sharename Type Comment --------- ---- ------- ...
Now, the other half of the problem is to prevent NetBIOS
packets (basically name lookups) from occuring on
eth0. Let's look at the output of
netstat before fiddling with Samba's
# netstat -apn | grep nmbd udp 0 0 10.1.1.1:137 0.0.0.0:* 26245/nmbd udp 0 0 192.168.1.1:137 0.0.0.0:* 26245/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 26245/nmbd udp 0 0 10.1.1.1:138 0.0.0.0:* 26245/nmbd udp 0 0 192.168.1.1:138 0.0.0.0:* 26245/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 26245/nmbd
This output tells us that
listening on both
eth1 interfaces on the server. Probably due
to the way Samba uses the Unix UDP networking API, there is not
just a single wildcard entry for listening to all interfaces, but
rather one entry for each interface, plus an entry that can
receive broadcast datagrams.
After applying the changes to
smb.conf and restarting,
# netstat -apn | grep nmbd udp 0 0 192.168.1.1:137 0.0.0.0:* 26270/nmbd udp 0 0 0.0.0.0:137 0.0.0.0:* 26270/nmbd udp 0 0 192.168.1.1:138 0.0.0.0:* 26270/nmbd udp 0 0 0.0.0.0:138 0.0.0.0:* 26270/nmbd
Notice that we have now lost the entry for
eth0 and are only listening on
eth1 as well as the broadcast entry.
We can use the
nmblookup program that
comes with Samba to further test that name lookups are not being
processed on the
eth0 interface. The
-B option can be used to specify the
broadcast address to use and thus which network interface the
lookup request appears to come from.
Before we change the
$ nmblookup -B 10.255.255.255 server querying server on 10.255.255.255 10.1.1.1 server<00> $ nmblookup -B 192.168.1.255 server querying server on 192.168.1.255 192.168.1.1 server<00>
Afterwards we can see that our server doesn't respond to NetBIOS
name requests on the
$ nmblookup -B 10.255.255.255 server querying server on 10.255.255.255 name_query failed to find name server $ nmblookup -B 192.168.1.255 server querying server on 192.168.1.255 192.168.1.1 server<00>
interfaces parameter understands a
couple of different ways of specifying network interfaces. You may
like to use the IP and mask format way of specifying a network.
Instead of of specifying
eth1 you can say
10.1.1.1/8 (bit length format) or
10.1.1.1/255.0.0.0 (netmask format). This
may be more readable than just using the interface name.